Much has been written about the increasing prevalence of, and need for, cyber insurance. At the same time, it is important that policyholders or prospective purchasers of cyber insurance keep their eyes open. Ultimately, cyber insurance – like all insurance – is nothing more than a promise: In return for a (substantial) premium payment, the insurer promises to provide coverage in the event of an adverse outcome. Further, insurance is fundamentally unlike other contractual relationships in that the purchaser has no ability to “cover” if there is a counterparty breach; once a loss has occurred or a liability has arisen, replacement insurance is effectively unavailable anywhere at any price.
These are risks that inhere in any insurance transaction, but the novelty of cyber insurance magnifies these risks.
The risk of strategic insurer nonperformance is higher. Most insurance policies use standard-form language that has become encrusted with meaning, as a result of decades of litigation. This limits (even if it does not prevent entirely) insurers’ ability to take unreasonable coverage positions. Because cyber insurance is a relatively new product, however, there is no standardization of policy language. Further, even though perfect clarity of expression is impossible in any written document, the technical nature of the risk exposure, and ensuing coverage, makes cyber policies rife with ambiguity. As a result, insurers have the ability to take post hoc coverage positions that are inconsistent with insurance purchasers’ reasonable expectations (and that are in fact consistent only with opportunistic insurer profit-seeking).
A recent insurance lawsuit highlights the risk: A policyholder faced a lawsuit arising out of the release of electronic medical records caused by a third-party vendor. It turned to its cyber insurer, Columbia Casualty, for coverage. Although Columbia Casualty funded an ensuing settlement under reservation of rights, it turned around and sued its policyholder for recoupment, alleging that coverage was barred by a policy exclusion for “failure to follow minimum required practices.” The insurer contended that its insured failed “to consistently implement the procedures and risk controls identified in the … application.” The insurer also sought to invalidate the policy entirely, contending that the insured misrepresented in its application that it would follow those required practices. See generally Columbia Cas. Co. v. Cottage Healthcare Sys., No. 2:15-cv-03432 (C.D. Cal.). In other words, Columbia Casualty sought to avoid coverage and, indeed, blow up the policy entirely, because it contended that its policyholder was guilty of oversight or neglect. Now, most of us assume that insurance is deliberately intended to cover unintentional or negligent acts or omissions, but Columbia Casualty seized on ambiguous policy language (and the answer to an ambiguous “check the box” question on the application) to attempt to strip its policyholder of valuable insurance rights that it had already paid for and could not repurchase. The case was dismissed on procedural grounds, so it is unclear whether these insurer arguments would actually prevail, but this lawsuit demonstrates that caution is in order, so that the purchaser of expensive cyber insurance buys something more than just a lawsuit.
The risk of insurer insolvency is unclear and perhaps substantial. Further, the scope of insurers’ cyber-risk exposure remains unclear. Despite the rapid growth in cyber insurance placements, there remains no standard model evaluating cyber exposures. (This would be akin to an insurer writing earthquake insurance without knowing whether properties are located in Southern California or Vermont.) While Lloyd’s of London, with others, has just released such an exposure model, that may be closing the barn door after the horse has escaped. Further, the losses from data breaches or other cyber-events can be massive.
Consequently, it is not clear whether insurers who now are eagerly issuing cyber policies would have the funds in hand if the risks they are underwriting were to eventuate. Indeed, just last week Kroll Bond Rating Agency sounded a cautionary note in this regard: “Knowing what the numbers are when it comes to cybersecurity, what they mean, and where the trends are headed will challenge the insurance industry in the months ahead. Risks with low or unpredictable frequency and high severity are a pricing and solvency nightmare for insurers.” This unpredictability further counsels caution, so that the purchaser of expensive cyber insurance buys something more than just an unsecured claim in an insolvency proceeding that pays pennies on the dollar.
This is not to say that companies should forgo purchasing cyber insurance; cyber risks are real and substantial, and insurers have rewritten their existing insurance policies to exclude those risks. These counterparty risks do, however, highlight the need for careful evaluation of cyber policies before purchase – not only the promised scope of coverage and the price, but also the details of policy language and the reputation and financial strength of the underwriter. Experienced brokers and experienced coverage counsel are invaluable – and complementary – allies in this process; they can scrutinize policy language, suggest revisions where appropriate, and leverage their experience to minimize unhappy surprises.